I am currently using the Users API (this one here) with the Go language on my Google App Engine application. My users are getting the warning message when they first grant permissions that says "OpenID 2.0 for Google accounts is going away. Developers should migrate to OpenID Connect by April 20, 2015." But I can't find any warnings in the documentation for the Users API anywhere saying that anything will stop working, like I do all throughout other sections regarding OpenID 2.0 (here).
I am using very little of the Users API code, just to create the login urls like this:
url, _ := user.LoginURLFederated(c, return_url, "www.google.com/accounts/o8/id")
And to read the users' email addresses, like this:
u := user.Current(appengine.NewContext(r))
email := u.Email
Do I need to worry about migrating, or will the Users API handle everything without failing after April 20th?
Please read this information:
https://developers.google.com/identity/protocols/OpenID2Migration
https://developers.google.com/identity/protocols/OpenIDConnect
https://developers.google.com/identity/sign-in/auth-migration
You may also find this forum post helpful.
Apps that use user.LoginURLFederated in conjunction with Google Accounts will stop working. These apps need to follow the information in the first link above to migrate.
Apps can continue to use user.LoginURLFederated for use with various other third-party OpenID2 service providers.
So, it turns out that the answer is "YES!". Definitely stopped working. The older development versions of my website now take you to an error page when you try to sign in. Luckily I had moved away from the User package before the deadline to the much buggier Google Sign-In for Websites.
Related
I am new to Salesforce, but am an experienced developer. I am provided a link to a Salesforce report, which mostly has the right filters (query). I would like to use an REST API to pull that information as CSV or JSON so that I can do further processing on it.
Here are my questions:
Do I need special permissions to make API calls? What are they?
Do I need to create an "app" with client-key & secret? Does my admin need to grant me permission for this too?
There are a lot of REST APIs from Salesforce, which one do I need to get the info from the report? Analytics?
How do I authenticate in code?
You'd have to work with the System Administrator on the security pieces. Anybody who knows how the company works, can all users see everything, is there Single Sign-On in place, how likely is the report to change...
You will need an user account to pull the data. You need to decide if it'll be some "system account" (you know username and password and have them stored in your app) or can it run for any user in this org. It might not matter much but reports are "fun". If there will be data visibility issues 6 months from now, you'll be asked to make sure the report shows only French data to French users etc... you can make it in report filters or have multiple reports - or you can just use current users access and then it's the sysadmin that has to set the sharing rules right. (would you ever think about packaging what you did and reusing in another SF instance? Making a mobile app out of it? Things like that, they may sound stupid now but will help you decide on best path)
The user (whether it'll be system account or human) needs Profile permissions like "API Enabled" + whatever else you'd need normally ("Run Reports" etc). If you're leaning towards doing it with system user - you might want to look at Password Policies and maybe set password to Never Expires. Now this is bit dangerous so there would be other things you might want to read up about: "API only user" (can't login to website), maybe even locking down the account so it can login only from certain IP ranges or at certain times when the job's supposed to be scheduled...
Connected App and OAUth2 stuff - it's a good idea to create one, yes. Technically you don't have to, you could use SOAP API to call login, get session id... But it's bit weak, OAuth2 would give you more control over security. If you have sandboxes - there's little-known trick. You can make connected app in production (or even totally unrelated Developer Edition) and use client id & secret from it to login to sandboxes. If you create app in sandbox and you refresh it - keys stop working.
(back to security piece - in connected app you can let any user allow/deny access or sysadmin would allow only say these 3 users to connect, "pre-authorize". Could be handy)
Login - there are few REST API ways to login. Depends on your decision. if you have 1 dedicated user you'll probably go with "web server flow". I've added example https://stackoverflow.com/a/56034159/313628 if you don't have a ready SF connection library in your programming language.
If you'll let users login with their own credentials there will be typical OAuth "dance" of going to the target page (Google login, LinkedIn, Twitter...) and back to your app on success. This even works if client has Single Sign-On enabled. Or you could let people type in their username and pass into your app but that's not a great solution.
Pull the actual report already
Once you have session id. Official way would be to use Reporting API, for example https://developer.salesforce.com/docs/atlas.en-us.api_analytics.meta/api_analytics/sforce_analytics_rest_api_get_reportdata.htm
A quick & dirty and officially not supported thing is to mimic what happens when user clicks the report export in UI. Craft a GET request with right cookie and you're golden. See https://stackoverflow.com/a/57745683/313628. No idea if this will work if you went with dedicated account and "API access only" permission.
I have just verified the custom URL for my Sites Google. When I want to assign it, it says, "This URL is already in use by another Google service." Meanwhile, I don't remember using the URL for any Google service. I just verified it with Google Webmasters. Anyway, I use Plesk for my domain services. Any help?
This is my site: https://sites.google.com/view/alvisyhrn/home
This is my URL: www.alvisyahrin.com
Your help will be much appreciated.
Thank you.
I use Google Domains but was running into the same error message. This post suggests creating and then deleting a synthetic redirect record (e.g. www.alvisyahrin.com -> http://google.com) in Google Domains. This displayed a "All resource records in this synthetic record will be deleted." message before deleting, and seems to have done the trick, since as soon as I deleted the synthetic record Sites was willing to use it as a custom domain.
I realize you're using a different registrar for your domain, but visiting your site now it looks like you managed to get things working (I assume by doing something like this). Hopefully this will be a helpful breadcrumb for Google Domains users that run into this, at least.
Add me to the list of people confused by all this: https://developers.google.com/accounts/docs/OpenID#openid-connect. I currently use the Python Users API in an AppEngine application running at https://www.stackmonkey.com/. I build the login URL for my login button like this:
login_url = users.create_login_url(federated_identity='gmail.com', dest_url=dest_url)
self.redirect(login_url)
The Users API manages my user DB for me. I'm able to pull the current user's session with this code:
current_user = users.get_current_user()
Given the complete lack of information on the topic anywhere I've looked on Google's pages, I'm wondering if anyone has any information on whether the Users API can be made to work with the suggested migrations, or if Google is going to update the Users API to support the new authentication methods they suggest?
At least I have some time on this, but I'm really not looking forward to reimplementing an entire auth system in my app.
Small update, I've tried creating a sample application running at kordtest2.appspot.com which is returning a 400:
Error: Bad Request
Your client has issued a malformed or illegal request.
The code used for that sample app is cut and pasted from the Python getting started guide on their site (I can't post another link with this account).
I had the same problem, and it appears to be when I was logged into multiple GMAIL/GOOGLE accounts at the same time. When I logged out of all of them except one, that one worked fine with my code, based on the sample Python code.
I would like to use Oauth 2 for an application in Google App Engine with Java, but I dont find any good example of that use, I would be very thankful if somebody could help me please, it is something frustrating dont find good examples, thnak you.
My 2c is avoid oauth2 libraries. Of course opinions may vary, but for me they provide very leaky abstractions, so you end up being dragged into understanding oauth by the back door. For me at least, taking an hour to read the the two pages that tell you all you need to know, and carefully avoiding all the others, will get you where you want to be.
In simple terms, the steps are :-
Call the auth URL with your app/client ID and the scopes you require. Include the "email" scope.
Google will walk the user through login, and (if the first time through) authorisation dialogues
Eventually the browser will redirect back to your oauthcallback url, and pass you an auth code
Call google to convert the auth code to a refresh token. This will also return the user's google ID and an access token.
Store the user ID in your session so you can identify the user subsequently
Persist the refresh token alongside the google user id in a database
On subsequent visits...
If you have the google user id in the your session, you can retrieve the refresh token from your database and use it to generate access tokens as you need them.
If you do NOT have the google user id in your session, go through the steps above. This time, google will NOT prompt the user for authorisation (since it's already authorised), and the refresh token will be blank (since you already have one stored).
Everything you need to know is within the oauth playground page. If you click through the buttons, you will see that it is following the steps I outlined above.
You then need to deal with the possible error situations, eg
user declines permission
user withdraws permission
google expired the refresh token (happens a lot) so you need to re-auth
timeouts
The two pages you need to read are :-
https://developers.google.com/accounts/docs/OAuth2WebServer and the oauth playground at https://developers.google.com/oauthplayground/
Trust me, as long as you know how to form a URL, store a refresh token (it's just a string) and parse a JSON response, then everything you need is on those pages. Except ...
all the documentation skips over the need to preserve the user ID in your session so you know who it is that is accessing your app. If you're on AppEngine, you may be confused by the appengine sample code which uses a separate appengine login. Ignore it. You will be using oauth to authenticate the user so the appengine stuff doesn't apply and is somewhat confusing.
It's actually much simpler than some of the documentation would lead you to believe, and like I said, imho the leaky libraries don't help.
I'm trying to do exactly the same thing and I agree - it is extremely hard to find a good example of this.
I did find this youtube video however and I think it would help: https://www.youtube.com/watch?v=tVIIgcIqoPw.
Its from Google and it is called Getting Started with Google APIs. The last segment of the video deals with authentication.
There are several OAuth 2 client and server libraries for Java listed on this page: http://oauth.net/2/
Here's quick-start documentation for using Apache Otlu: https://cwiki.apache.org/confluence/display/OLTU/OAuth+2.0+Client+Quickstart
If you're accessing a Google API (as a client), you can use the Google client library for Java, which does OAuth as well as API set-up: https://code.google.com/p/google-api-java-client/
How to get the e-mail contents by getting the user's login details in google app engine?
Try taking a look at the GMail API. You'll probably want to use OAuth.
https://developers.google.com/gmail/
This is exactly what I'm doing in my current project. Google App Engine Blog introduced a company named "Context.IO" and they provide very easy API to access GMail. I've implemented it in my project successfully.
Links
GAE Blog
Demo (You can look for a contact, and get all its emails...)
My Experience
They also provide a Explore feature that allow you to post and get json data from your gmail accounts.
However, if you registered for a free API key here, they will limit to 3 mailboxes per day. You can run a cron job to delete it daily. The nice thing is that you can contact them to get more mailboxes for development purposes :)
Hope my experience can help you
You can also use google service account. https://developers.google.com/identity/protocols/OAuth2ServiceAccount#creatinganaccount
Then you can use it in order to get access to account under your domain.
$client = new Google_Client();
$client->setApplicationName('My App');
$client->setAuthConfigFile('path/to/service_account.json');
$client->useApplicationDefaultCredentials();
// account that we want to check
$client->setSubject('account#mydomain.com');
$client->setAccessType('offline');
$client->setScopes([Google_Service_Gmail::GMAIL_READONLY]);
$service = new Google_Service_Gmail($client);
$messagesResponse = $service->users_messages->listUsersMessages('me');